Fluid Attacks Database

Description

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-minimatch	=9.0.3-6 \|\| >=0 <9.0.7-1	9.0.7-1
debian 11	node-minimatch	=3.0.4+~3.0.3-1 \|\| =3.0.4+~3.0.3-1+deb11u1 \|\| =3.0.4+~3.0.3-1+deb11u2 \|\| =3.0.4+~3.0.5-1 \|\| =3.0.5+~3.0.5-1 \|\| =3.1.1+~3.0.5-1 \|\| =5.0.0+~3.0.5-1 \|\| =5.0.0+~3.0.5-2 \|\| =5.1.0+~3.0.5-1 \|\| =5.1.1+~5.1.2-1 \|\| =9.0.3-1 \|\| =9.0.3-2 \|\| =9.0.3-3 \|\| =9.0.3-4 \|\| =9.0.3-5 \|\| =9.0.3-6 \|\| =9.0.7-1	-
debian 12	node-minimatch	=5.1.1+~5.1.2-1 \|\| =9.0.3-1 \|\| =9.0.3-2 \|\| =9.0.3-3 \|\| =9.0.3-4 \|\| =9.0.3-5 \|\| =9.0.3-6 \|\| =9.0.7-1	-
debian 13	node-minimatch	=9.0.3-6 \|\| =9.0.7-1	-
npm	minimatch	>=10.0.0 <10.2.1 \|\| >=9.0.0 <9.0.6 \|\| >=8.0.0 <8.0.5 \|\| >=7.0.0 <7.4.7 \|\| >=6.0.0 <6.2.1 \|\| >=5.0.0 <5.1.7 \|\| >=4.0.0 <4.2.4 \|\| >=0 <3.1.3	10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
rpm rhel10	nodejs-nodemon	-	-
rpm rhel8	nodejs	<1:20.20.2-1.module+el8.10.0+24197+1602b452	1:20.20.2-1.module+el8.10.0+24197+1602b452
rpm rhel9	nodejs	<1:20.20.2-1.module+el9.7.0+24193+41b7b572	1:20.20.2-1.module+el9.7.0+24193+41b7b572
rpm rhel10	nodejs22	<1:22.22.2-1.el10_1	1:22.22.2-1.el10_1
rpm rhel10	nodejs24	<1:24.14.1-2.el10_1	1:24.14.1-2.el10_1

1-10 of 14

Aliases

1. CVE-2026-269962. NVD-2026-269963. OSV-DEBIAN-2026-269964. OSV-2026-269965. GHSA-3ppc-4f35-3m266. GCVE-2026-269967. SECURITY-TRACKER-CVE-2026-26996

References

1. https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m262. https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.